pageok
pageok
pageok
"Internet records to be stored for a year":
I don't normally follow EU privacy law, as it's often quite different from US privacy law, but this news from across the pond seemed worth noting:
  A European Union directive, which Britain was instrumental in devising, comes into force which will require all internet service providers to retain information on email traffic, visits to web sites and telephone calls made over the internet, for 12 months. Police and the security services will be able to access the information to combat crime and terrorism.
  Hundreds of public bodies and quangos, including local councils, will also be able to access the data to investigate flytipping and other less serious crimes. It was previously thought that only the large companies would be required to take part, covering 95 per cent of Britain's internet usage, but a Home Office spokesman has confirmed it will be applied "across the board" to even the smallest company.
  Notably, there is no such law in the United States. ISPs can keep records for as long or as short as they like. Of course, not everyone is happy with that, but that's the current system.

  Thanks to Elizabeth Joh for the original link.

  UPDATE: Commenter martinned chimes in with some helpful context:
The Directive in question is Directive 2006/24 of 15 March 2006. It was recently upheld by the ECJ in a constitutional challenge as to its legal basis in Case C-301/06, Ireland v Parliament &Council, of February 10, 2009. Most of the Directive has already entered into force, but Member States were allowed to postpone its application to various internet activities until 15 March this year (art. 15(3) of the Directive), which, I guess, is why the Telegraph was writing about it. As to the period of storage, under art. 6 the Member States are allowed to set it anywhere between 6 months and 2 years. Apparently, the UK, like most MS, opted for 1 year.

Soronel Haetir (mail):
Somehow this seems like another feel good measure, high cost, low payoff, much like the UK's fixation on cameras. Plus unless you're going to require packet level recording which would quickly produce huge storage requirements people who care will switch to different protocols or tunnelling or any number of other ways to make tracking harder.

Too bad anonymous remailers never really took off in a big way.
4.9.2009 9:38pm
martinned (mail) (www):
"quite different"... That's certainly one way to describe it.
Normally, the difference is that in the EU privacy law actually exists. This directive, of course, is a notable exception.

Just to clear up a few things, since the Daily Telegraph is hardly the most reliable place to look for information on the EU: The Directive in question is Directive 2006/24 of 15 March 2006. It was recently upheld by the ECJ in a constitutional challenge as to its legal basis in Case C-301/06, Ireland v Parliament &Council, of February 10, 2009. Most of the Directive has already entered into force, but Member States were allowed to postpone its application to various internet activities until 15 March this year (art. 15(3) of the Directive), which, I guess, is why the Telegraph was writing about it.
As to the period of storage, under art. 6 the Member States are allowed to set it anywhere between 6 months and 2 years. Apparently, the UK, like most MS, opted for 1 year. (In my country, the Netherlands, there was a bit of a disagreement within the coalition on this question. In the end they settled on 1 year as well, instead of the 18 months originally proposed.)
4.9.2009 9:45pm
Avatar (mail):
How, precisely, does the ability to search through my Internet activities serve in prosecuting me for... illegal disposal of wastes?
4.9.2009 9:55pm
Wang Chung:
I was really shocked when I visited Italy a few eeks ago that I needed to register with a photo ID at internet cafes in order to use the machines. Presumably the cafes keep track of who uses which computer when and what sites are visited. Apparently it's because of a recent anti-terrorism law. It felt very invasive to me.
4.9.2009 10:28pm
josh bornstein (mail) (www):
Wang,
India is the same (in parts of the country that have been affected by repeated terrorism, eg. the West Bengal areas; not in Delhi or Mumbai, however, based on my trips there). Also true in parts of Burma and Viet Nam. Interesting to see your experience in Italy--I did not come across that in other parts of Europe.
4.9.2009 10:38pm
Fub:
One needn't be a computer scientist to understand just how technically and economically absurd these ISP user data retention laws are. I've read WAG estimates that even smallish ISPs would need hundreds to thousands of terabytes storage each year for just the minimal required data. That's no small expense, even without counting the cost of machine time and internal network bandwidth necessary to gather and store it.

While I suspect that to many in Congress it is "feel good" legislation, to some other entrenched politicians the broader the use to which government (and those with "connections") could put such information, the better. What will begin as a law to "fight crime" will become every slimy politician's wet dream -- access to records of the internet activities and contacts of his political opponents, including email correspondents and VOIP activity.

Another obvious fact is that determined criminals using the internet for communication will learn to encrypt everything, to use encrypted links to offshore anonymous proxy servers, etc. They simply won't be detectable on the radar.

The net result will be that only the most inept criminals will be discovered through retained data, and plenty of two-bit politicians and bureaucrats will figure out a way to use their local police or some other agency to spy on whoever they choose.

One, maybe the only, mitigating factor for such a law is that the sheer volume of data will be sufficient that plowing through it looking for something specific will take lots of machine time and some fairly expert searchers. So, it is possible that no matter how much money government throws at an investigative agency, they still won't be able to keep up with spying on everybody. Big Brother just doesn't scale well after some critical size.
4.9.2009 11:01pm
martinned (mail) (www):
I don't mean to sound ungrateful for having been elevated to the front page, but it's too bad the link I put in wasn't put on the front page as well. Without it, my "context" will mean very little to most readers. The link would allow US readers to see the actual legislation, instead of having to rely on the lay summary of the (Eurosceptic) Daily Telegraph.

As for the practical use of this measure: I'm not knowledgeable enough to add much, but I would like to note that this information can be used for other purposes than data mining. If you already know what you're looking for, such data retention would presumably be quite useful.
4.9.2009 11:20pm
Malvolio:
Also true [demanding to see ID] in parts of Burma and Viet Nam.
I went to dozens of cafes in both those countries and never had to show ID.

Which was good, because I was breaking the law. At least I was in Burma, because I was reading my Yahoo mail, which is blocked in Burma. Thank God for free proxies.

If I contemplate any mischief in the EU, I now know to use proxies there too, so thanks for the heads-up.
4.10.2009 12:50am
/:
It's hard to care about this, but one could get worked up on the private property angle.

Without data retention laws, there are faint trails, deals with private companies (like email providers) to get traffic information with varying detail, and the possibility of providers with a no-retention policy. In other words, private property is being managed as the owner desires. With data retention laws, ISPs (and who knows who else) is taxed with providing results that law enforcement demands.

And, as always, when encrypting your traffic is outlawed, only outlaws will encrypt their traffic. After all, you have nothing to hide, right?
4.10.2009 2:46am
pintler:

One needn't be a computer scientist to understand just how technically and economically absurd these ISP user data retention laws are. I've read WAG estimates that even smallish ISPs would need hundreds to thousands of terabytes storage each year for just the minimal required data.


I don't follow the math. If each user sends 50 emails per day, and you retain 1K of addressee and subject data, and views 50 1K URLs, that's 100K per user per day, or 36.5M per year. It would be highly compressible data, so you'd need to store no more than 10M per user per year. You could fit 50+ users on a CD-ROM (you wouldn't use CDs at that scale, but it puts it in perspective). It is frightening to me precisely because it is feasible.


One, maybe the only, mitigating factor for such a law is that the sheer volume of data will be sufficient that plowing through it looking for something specific will take lots of machine time and some fairly expert searchers.


I must disagree. Doing queries like 'who visited both http://jihad.com and did a google map search for 1600 Pennsylvania Ave' or 'who visited http://internal.detroit.police.dept.mi.gov and emailed radley.balko@whereever.com' would be trivial (if the info itself was centralized).


The net result will be that only the most inept criminals will be discovered through retained data, and plenty of two-bit politicians and bureaucrats will figure out a way to use their local police or some other agency to spy on whoever they choose.


I completely agree there.
4.10.2009 8:59am
Andy Freeman (mail):
> I don't follow the math. If each user sends 50 emails per day, and you retain 1K of addressee and subject data, and views 50 1K URLs

You can't just retain the addresses, you need to retain the content as well.

It's a couple of hundred MB/month per modest user.
4.10.2009 1:34pm
Fub:
pintler wrote at 4.10.2009 8:59am:
I don't follow the math. If each user sends 50 emails per day, and you retain 1K of addressee and subject data, and views 50 1K URLs, that's 100K per user per day, or 36.5M per year. It would be highly compressible data, so you'd need to store no more than 10M per user per year. You could fit 50+ users on a CD-ROM (you wouldn't use CDs at that scale, but it puts it in perspective). It is frightening to me precisely because it is feasible.
That's because I didn't do any math. I recalled several WAGs that I read or saw links to in Slashdot discussions of the subject moons ago.

But I do think your guesstimates of user data capture and retention are low. For example, I generally use dialup and I visit many times 50 URLs per day. For email, your guesstimates may be more accurate. But you disregard the operational fact that both machine and human resources must be dedicated to recording and retaining the data. The data retention servers must be installed and maintained like any other server. Those marginal costs will be much less marginal for a mom and pop ISP than for a behemoth.

I agree that if such retention actually costs even small operators very little, that its civil liberties implications are even more frightening.
I must disagree. Doing queries like 'who visited both http://jihad.com and did a google map search for 1600 Pennsylvania Ave' or 'who visited http://internal.detroit.police.dept.mi.gov and emailed radley.balko@whereever.com' would be trivial (if the info itself was centralized).
But the info would not be centralized unless ISPs were required to convey it all regularly to a centralized authority. Currently, ISP user records are available to government only by subpoena. If the law creates essentially a perpetual subpoena for all ISPs, then that central authority must be equipped and staffed. That is yet another expense that somebody must pay for.

Someone has to do the searching (presumably a government agency), and they'll need both staff and software considerably fancier and more expensive than grep.

One need only look at the ham-handed and expensive debacle that surrounds China's and Australia's national firewalls against "offensive" URLs, for some measure of the costs that such grand schemes impose upon ISPs and other internet businesses.

Agreed that such a law would be even more horrifying if it were very cheap to implement. But if such a law passes as it stands now, we'll get the worst of both worlds. Internet access costs will go up, ISPs will suffer measurable and possibly severe economic costs, AND civil liberties will be severely eroded.
4.10.2009 2:20pm
pintler:

You can't just retain the addresses, you need to retain the content as well.


That is potentially a much different 4th amendment situation, and you can get a great deal of info just from the addressee info. In the example given, you think someone in the police dept. has been giving inside info to Mr. Balko. You search for mac addresses that have accessed both the police department online timecard system, and sent email to Mr. Balko. That fingers your suspect pretty well w/o any content info.

People can try various flavors of proxies, etc. It's not my area of expertise, but just off the top I imagine you could automate unrolling those too. I sure could be wrong, in which case those who are careful and computer savvy enough could 'opt out'.


But the info would not be centralized unless ISPs were required to convey it all regularly to a centralized authority...
Someone has to do the searching (presumably a government agency), and they'll need both staff and software considerably fancier and more expensive than grep...


Well, you could pass a law ('for the children|to stop terrorists') that every ISP must maintain the data in an RFC 999.99 compliant manner, which means accepting realtime queries from authorized law enforcement sources. Now you have distributed the workload. I work for a university, and we are sort of the ISP for 100K or so students/staff/faculty. We maintain considerably more detailed info than this for 30 days, and I routinely troll through it to troubleshoot problems. It is really easy to do. On a governmental scale, neither cost nor technology will be a burden, IMHE. I just asked google to find me every page on the net that contains 'mandolin' and 'kumquat'. It found 2940 or them in 0.27 seconds. Cross checking web pages and emails won't be any more difficult than that, and even if every LEO in America does several queries a day, it won't come anywhere near google's volume - and the Gov can certainly buy as many computers as google.


Agreed that such a law would be even more horrifying if it were very cheap to implement. But if such a law passes as it stands now, we'll get the worst of both worlds. Internet access costs will go up, ISPs will suffer measurable and possibly severe economic costs, AND civil liberties will be severely eroded.


I agree totally, except I think it will be a lot cheaper than you do :-(
4.10.2009 3:53pm
ras (mail):
Are the regs also in effect on those who run their own email servers in their own homes, for personal use? Such configurations are not difficult to set up.
4.10.2009 4:14pm
einhverfr (mail) (www):
This is a "privacy law" in the same way we might have an "armed robbery law." Seems that the goal is to get rid of privace (when the government, as opposed to Google, does it, at least).
4.10.2009 5:51pm
cboldt (mail):
-- You can't just retain the addresses, you need to retain the content as well. --
.
The EU Directive specifies what information must be retained, and "contents" are not to be retained.
.
Anybody who runs a web or mail server knows what the activity logs for those services contain. It's the activity logs that are retained, and their size makes it inexpensive to retain a few years history.
4.11.2009 10:04am

Post as: [Register] [Log In]

Account:
Password:
Remember info?

If you have a comment about spelling, typos, or format errors, please e-mail the poster directly rather than posting a comment.

Comment Policy: We reserve the right to edit or delete comments, and in extreme cases to ban commenters, at our discretion. Comments must be relevant and civil (and, especially, free of name-calling). We think of comment threads like dinner parties at our homes. If you make the party unpleasant for us or for others, we'd rather you went elsewhere. We're happy to see a wide range of viewpoints, but we want all of them to be expressed as politely as possible.

We realize that such a comment policy can never be evenly enforced, because we can't possibly monitor every comment equally well. Hundreds of comments are posted every day here, and we don't read them all. Those we read, we read with different degrees of attention, and in different moods. We try to be fair, but we make no promises.

And remember, it's a big Internet. If you think we were mistaken in removing your post (or, in extreme cases, in removing you) -- or if you prefer a more free-for-all approach -- there are surely plenty of ways you can still get your views out.